Improve email validation

Author: zigazajc007

package-lock.json

@@ -1,22 +1,22 @@
 {
-  "name": "passky-server",
-  "description": "Server for Passky (password manager)",
-  "version": "8.1.7",
-  "main": "tailwind.config.js",
-  "scripts": {
-    "build": "npx tailwindcss -i ./tailwind.css -o ./server/src/website/css/tailwind.min.css --minify"
-  },
-  "repository": {
-    "type": "git",
-    "url": "git+https://github.com/Rabbit-Company/Passky-Server.git"
-  },
-  "author": "Rabbit Company",
-  "license": "GPL-3.0",
-  "bugs": {
-    "url": "https://github.com/Rabbit-Company/Passky-Server/issues"
-  },
-  "homepage": "https://github.com/Rabbit-Company/Passky-Server#readme",
-  "devDependencies": {
-    "tailwindcss": "^3.4.3"
-  }
-}
+	"name": "passky-server",
+	"description": "Server for Passky (password manager)",
+	"version": "8.1.8",
+	"main": "tailwind.config.js",
+	"scripts": {
+		"build": "npx tailwindcss -i ./tailwind.css -o ./server/src/website/css/tailwind.min.css --minify"
+	},
+	"repository": {
+		"type": "git",
+		"url": "git+https://github.com/Rabbit-Company/Passky-Server.git"
+	},
+	"author": "Rabbit Company",
+	"license": "GPL-3.0",
+	"bugs": {
+		"url": "https://github.com/Rabbit-Company/Passky-Server/issues"
+	},
+	"homepage": "https://github.com/Rabbit-Company/Passky-Server#readme",
+	"devDependencies": {
+		"tailwindcss": "^3.4.14"
+	}
+}

package.json

@@ -312,10 +312,8 @@ public static function createAccount(string $username, string $password, string
 			if($amount_of_accounts >= Settings::getMaxAccounts()) return Display::json(15);
 		}
 
-		$sub_email = filter_var($email, FILTER_SANITIZE_EMAIL);
-
 		if(!preg_match("/^[a-z0-9._]{6,30}$/i", $username)) return Display::json(12);
-		if(!filter_var($sub_email, FILTER_VALIDATE_EMAIL)) return Display::json(6);
+		if(!preg_match("/^[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z0-9-]{2,}$/i", $email) || strlen($email) > 200) return Display::json(6);
 		if(!preg_match("/^[a-z0-9]{128}$/i", $password)) return Display::json(5);
 
 		$username = strtolower($username);
@@ -923,14 +921,15 @@ public static function removeYubiKey(string $username, string $token, string $id
 
 	public static function forgotUsername(string $email) : string{
 		if(!Settings::getMail()) return Display::json(28);
-		$sub_email = filter_var($email, FILTER_SANITIZE_EMAIL);
-		if(!filter_var($sub_email, FILTER_VALIDATE_EMAIL)) return Display::json(6);
+		if(!preg_match("/^[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z0-9-]{2,}$/i", $email) || strlen($email) > 200) return Display::json(6);
+
+		$email = strtolower($email);
 
 		try{
 			$conn = Settings::createConnection();
 
 			$stmt = $conn->prepare('SELECT username FROM users WHERE email = :email');
-			$stmt->bindParam(':email', $sub_email, PDO::PARAM_STR);
+			$stmt->bindParam(':email', $email, PDO::PARAM_STR);
 			$stmt->execute();
 
 			$rows = $stmt->fetchAll(PDO::FETCH_ASSOC);

server/src/Database.php

@@ -21,7 +21,7 @@ class Settings{
 */
 
 	public static function getVersion() : string{
-		return '8.1.7';
+		return '8.1.8';
 	}
 
 	public static function getLocation() : string{

server/src/Settings.php

@@ -3,7 +3,7 @@
 
 session_start();
 
-$token = filter_input(INPUT_GET, 'token', FILTER_SANITIZE_STRING);
+$token = htmlspecialchars(filter_input(INPUT_GET, 'token'), ENT_QUOTES, 'UTF-8');
 
 if(!isset($_SESSION['username']) || !isset($_SESSION['token']) || !$token || $token !== $_SESSION['token']){
 	$_SESSION['page'] = 'home';

server/src/website/actions/createLicense.php

@@ -3,7 +3,7 @@
 
 session_start();
 
-$token = filter_input(INPUT_GET, 'token', FILTER_SANITIZE_STRING);
+$token = htmlspecialchars(filter_input(INPUT_GET, 'token'), ENT_QUOTES, 'UTF-8');
 
 if(!isset($_SESSION['username']) || !isset($_SESSION['token']) || !$token || $token !== $_SESSION['token']){
 	$_SESSION['page'] = 'home';

server/src/website/actions/deleteAccount.php

@@ -3,7 +3,7 @@
 
 session_start();
 
-$token = filter_input(INPUT_GET, 'token', FILTER_SANITIZE_STRING);
+$token = htmlspecialchars(filter_input(INPUT_GET, 'token'), ENT_QUOTES, 'UTF-8');
 
 if(!isset($_SESSION['username']) || !isset($_SESSION['token']) || !$token || $token !== $_SESSION['token']){
 	$_SESSION['page'] = 'home';

server/src/website/actions/deleteLicense.php

@@ -3,7 +3,7 @@
 
 session_start();
 
-$token = filter_input(INPUT_GET, 'token', FILTER_SANITIZE_STRING);
+$token = htmlspecialchars(filter_input(INPUT_GET, 'token'), ENT_QUOTES, 'UTF-8');
 
 if(!isset($_SESSION['username']) || !isset($_SESSION['token']) || !$token || $token !== $_SESSION['token']){
 	$_SESSION['page'] = 'home';
@@ -17,8 +17,6 @@
 $disable2fa = ($_GET['disable2fa'] === 'true') ? true : false;
 $disablePremium = ($_GET['disablePremium'] === 'true') ? true : false;
 
-$sub_email = filter_var($email, FILTER_SANITIZE_EMAIL);
-
 if(!is_numeric($maxPasswords)) $maxPasswords = Settings::getMaxPasswords();
 if($maxPasswords < 0) $maxPasswords = -1;
 if($maxPasswords > 1_000_000_000) $maxPasswords = 1_000_000_000;
@@ -28,10 +26,10 @@
 try{
 	$conn = Settings::createConnection();
 
-	if(filter_var($sub_email, FILTER_VALIDATE_EMAIL)){
+	if(preg_match("/^[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z0-9-]{2,}$/i", $email) && strlen($email) <= 200){
 		$stmt = $conn->prepare('UPDATE users SET email = :email, max_passwords = :maxPasswords WHERE username = :username');
 		$stmt->bindParam(':username', $username, PDO::PARAM_STR);
-		$stmt->bindParam(':email', $email, PDO::PARAM_STR);
+		$stmt->bindParam(':email', strtolower($email), PDO::PARAM_STR);
 		$stmt->bindParam(':maxPasswords', $maxPasswords, PDO::PARAM_INT);
 		$stmt->execute();
 	}else{